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Abstract — We consider problems of authentication using secret 
key generation under a privacy constraint on the enrolled source 
data. An adversary who has access to the stored description and 
correlated side information tries to deceive the authentication 
as well as learn about the source. We characterize the optimal 
tradeoff between the compression rate of the stored description, 
the leakage rate of the source data, and the exponent of the 
adversary’s maximum false acceptance probability. The related 
problem of secret key generation with a privacy constraint is 
also studied where the optimal tradeoff between the compression 
rate, leakage rate, and secret key rate is characterized. It reveals 
a connection between the optimal secret key rate and security of 
the authentication system. 

I. Introduction 

We consider the problem of authentication based on secret 
key generation. In the enrollment stage, a user provides the 
source sequence X" to the system. The source is compressed 
into a description M which is stored as a helping message. 
Meanwhile, the secret key message S is generated based on the 
source and will be used as a reference for authentication. In 
the authentication stage, the user provides an authentication 
sequence F” which could be a noisy measurement of the 
enrolled source sequence. Based on M and F", the secret 
key is estimated as S and compared with the reference S. The 
user is successfully authenticated if S' = S'. 

The system described above can be relevant in several 
applications including those involving access control, secure, 
and trustworthy communication. One important class of po¬ 
tential applications is related to using biometric data such as 
hngerprint, iris scans, and DNA sequences for authentication 
(see, e.g., [1] and references therein). Unlike passwords, 
the biometric data inherently belong to users and provide a 
convenient and seemingly more secure way for authentication. 
However, it is crucial that privacy of the enrolled data must 
be protected from any inference of an adversary. The privacy 
risk in this case is of potentially high impact since the 
biometric data is commonly tied to the person identity. If it 
is compromised, it cannot be reverted or changed like in the 
case of using passwords. 

In this work, we consider the secret-key based authenti¬ 
cation problem in the presence of an adversary, who has 
access to the stored description M as well as correlated side 
information F”, as shown in Fig. 1. The adversary tries to 
deceive the authentication using its own sequence y" and is 
also interested in learning about the enrolled source data X”. 
We call the event where the legitimate user fails during the 
authentication as a false rejection, and the event where the 



Fig. i. Secret key-based authentication system with a privacy constraint. 

system accepts the adversary as a false acceptance. As for 
the privacy constraint, normalized mutual information between 
the enrolled source data X" and all information available 
at the adversary, e.g., (M, F”), is used as a measure of 
information leakage rate. We wish to design an authentication 
system that achieves negligible false rejection probability and 
at the same time minimizes 1) the compression rate of the 
stored description, 2) the leakage rate of the enrolled source, 
and 3) the maximum false acceptance probability (mFAP) 
exponentially. In general, there exists a tradeoff between the 
compression rate, the information leakage rate, and the mFAP 
exponent. For example, to obtain a large mFAP exponent 
while achieving reliable authentication for the legitimate user, 
a “high quality” description M may need to be stored which 
in turn can lead to high amount of information leakage. The 
main result of this work is a single-letter characterization 
of the fundamental tradeoff between the compression rate, 
information leakage rate, and mFAP exponent for discrete 
memoryless sources. 

Closely related to the setting described above, we consider 
also the problem of secret key generation (for authentication) 
with a privacy constraint where, apart from reliable recon¬ 
struction of the secret key, we wish to maximize the secret 
key rate as well as ensuring that the leakage rate of the key 
is negligible. Also in this case, the optimal tradeoff between 
the compression rate, leakage rate of the source, and secret 
key rate is characterized. In particular, the optimal secret key 
rate is shown to be equivalent to the optimal mFAP exponent 
derived in the first problem. 

Related Work 

Authentication problems from an information theoretic per¬ 
spective have been studied in several directions. Maurer in [2] 
considered the message authentication problem in connection 
with the hypothesis testing problem where the underlying 
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message probability distributions of the legitimate user and 
adversary are assumed to be different. Martinian et al. [3] 
considered authentication with a distortion criteria. More re¬ 
cently, works appear to consider authentication problems based 
on secret key generation [4]. These include for example works 
[5], [6], [7] which focused on biometric authentication systems 
where privacy of the enrolled data is also taken into account. 
Analysis of deception probability in the authentication system 
from an adversary’s perspective was also considered in [8]. 
Closely related to the secret key-based authentication problem 
with privacy constraint are the problems of source coding 
with privacy constraint, e.g., [9], [10], where the goals are to 
reconstruct the source reliably while preserving the privacy of 
the source or the reconstruction sequences from any inference 
of an eavesdropper. In this work, we extend the problem in [6] 
to a more general case where the adversary has correlated side 
information. Moreover, we provide a complete characterization 
of the problem studied in [7]. Standard notations in [11] are 
used. 

II. Secret key-based Authentication System 
A. Problem Formulation 

Let us consider a secret key-based authentication system 
shown in Fig. 1. Source and side information alphabets, 
X,y,Z are assumed to be finite. Let be n- 

length sequences which are i.i.d. according to Px,y,z- 

In the enrollment stage, based on the user’s source sequence 
X”, an “encoder” generates a rate-limited description M £ 
and a secret key message S € For authentication, 
the user provides a (noisy) authentication sequence F” to 
the system. Based on F" and the stored description M, a 
“decoder” generates S as an estimate of the secret key. The 
user will be positively authenticated if 5 = S'. 

The information leakage rate at the adversary who has 
access to the stored description M and side information Z", 
correlated with X", is measured by the normalized mutual 
information /(X"; M, Z") jn. The adversary, based on M and 
Z", also chooses a sequence for authen¬ 

tication. The maximum false acceptance probability (mFAP) 
is defined as mFAP = maXyn(M.Z'*)e 3 ;" Pr(Syn = S), where 
Syn is the estimate resulting from M and y". We are interested 
in characterizing the optimal tradeoff between the compression 
rate, information leakage rate, and mFAP exponent. 

Definition 1: A code for secret key-based authentication 
with a privacy constraint consists of 

• an encoder fm^ : X" 

• an encoder : X" — S^'^\ 

. a decoder x 3^” 

where and 5^") are finite sets. 

Definition 2: A compression-leakage-mFAP exponent tuple 
{R, L, E) £ is said to be achievable if for any <5 > 0 and 
all sufficiently large n there exists a code above such that 

Pr{S ^S)<6, (1) 

-log|M(")| < i?-f (5, (2) 

n ' ' 


-/(X";M,Z”) <L + S, 
n 

and — log- > E — 6. 

n ^ mFAP “ 


(4) 


The compression-leakage-mFAP exponent region TZi is the set 
of all achievable tuples. 


B. Result 

Theorem 1: The compression-leakage-mFAP exponent re¬ 
gion TZi for the problem depicted in Fig. 1 is given by a set 
of all tuples {R,L,E) £ such that 

R>IiX-,V\Y), (5) 

L > /(X; y, Y) - /(X; Y\U) + /(X; Z\U), (6) 

E<I{V;Y\U)-I{V-Z\U), (7) 


for some joint distributions of the form Px y zPv\xPu\v with 
|W|<|X|+3,|V|<(|X|+3)(|X|+2).’ ’ 

Remark 1 (Randomized encoder): Theorem 1 holds also 
for a more general setting which allows randomized encoders, 
i.e., M and S are randomly generated according to p{m\x'^) 
and p{s\x'^), respectively. This can be seen from the converse 
proof of Theorem 1 that no assumption regarding the deter¬ 
ministic encoders was made. 

Remark 2 (Special cases): 

i) When side information at the adversary is degraded, i.e., 
X — Y — Z forms a Markov chain, the compression-leakage- 
mFAP exponent region is reduced to the set TZi^x-y-z 
consisting of all tuples {R,L,E) such that 

i?>/(X;y|y), 

L>/(X;Z)+/(X;y|y), 

E<I{V;Y\Z), 

for some joint distributions of the form Px ,yPz\ Y Pv\x- We 
obtain this region from TZi by setting U constant. The converse 
proof is modified slightly and is provided in Appendix A. 

ii) When the adversary has no side information, the result 
in Theorem 1 reduces to that in [6]. For example, by setting 
Z and U equal to constants and R = iJ(X), we recover [6, 
Theorem 4]. 

Proof of Theorem 1: The sketch of achievability proof 
is given below based on a random coding argument where we 
use the definitions and properties of e-typicality as in [11]. 
Our achievable scheme utilizes layered coding and binning, 
while the converse proof for the information leakage rate is 
inspired by that of the secure source coding problem [9]. 

Achievability: Fix Pv\x Pu\v- Let e and be pos¬ 
itive real numbers where 0 as e ^ 0. Assume that 

I{V\Y\U) - I(y-,Z\U) > 0. The case where I{V-,Y\U) - 
I{V\Z\U) < 0 is trivial since the encoder can just set the 
secret key message to be constant and does not transmit at all, 
implying that {R,L,E) = (0,1{X] Z),0) is achievable. 

1) Codebook generation: Randomly and independently gen¬ 
erate u^(^j) sequences, each i.i.d. according 

to YYi^iPu{ui), j £ [1 : Then distribute 

them uniformly at random into bins bu{mi). 



mi G por each j, randomly and 

conditionally independently generate ^”0, k) 

sequences, each i.i.d. according to n” -.iPv\u(vi\ui), k e 
[1 : and distribute these sequences uniformly 

at random into bins by{j,m 2 ), m 2 G 

Moreover, in each bin 6y(j, m 2 ), we 
distribute sequences u" uniformly at random into subbins, 
indexed by s, where s G [1 : The 

index s here represents a subbin index of the second-layered 
bin. In each subbin, there are sequences u”, 

each indexed by s'. Note that k = {m 2 ,s,s') here. The 
codebooks are then revealed to all parties. 

2) Enrollment: Given x", the encoder looks for M”(j) and 
z;"(j,/c) that are jointly typical with x". From the covering 
lemma [11], with high probability, there exist such codeword 
pairs. If there are more than one pairs, the encoder selects one 
of them uniformly at random, and then sends the correspond¬ 
ing bin indices mi and m 2 to the decoder. The total rate is thus 
equal to I{X- U\Y) + I{X- V\U,Y) + b5^ = /(2f; l/|y)-f5b,. 
The secret key is set to be the subbin index s in which the 
chosen sequence u" G 6v(j, m 2 ) falls. 

3) Authentication: The decoder looks for u"(j) and k) 
in the bins {mi, m 2 ) which are jointly typical with y". From 
the packing lemma [11], with high probability, it will find 
the unique sequence M"(j) G bu{mi) which is jointly typical 
with y". Then, with high probability, it will find the unique 
u"(j, k) G bv{j,m 2 ) which is jointly typical with y" and the 
decoded u''{j). Finally, it puts out the corresponding subbin 
index of the decoded u" as an estimate of the secret key which, 
with high probability, will be equal to the generated one. 

Let [/"(J) and L"(J,iT) be the codewords chosen at the 
encoder in the enrollment stage, and {Mi, M 2 ) be the corre¬ 
sponding indices of the bins to which 17"(J) and V''{J,K) 
belong. Note that {Mi, M 2 ) can be determined from {J, K). 

From the enrollment stage, the sources and 
selected codewords are jointly typical, i.e., 
(X”,t/”(J),L"(J,iT),y”,Z") G with high 

probability. We have the following lemma. 

Lemma 1: The following bound holds, iF(Z"|J) < 
n{H{Z\U) + S,). 

Proof: The proof is given in Appendix B. ■ 

Then, the information leakage averaged over all possible 
codebooks can be bounded as follows. 

/(X”; Ml, M 2 , Z") = M(X") - iT(X”|Mi, M 2 , Z") 

< nH{X) - M(X"| J, Z”) -b H{M 2 ) 

< nH{X) - M(X", Z") -b H{J) + H{Z''\J) + H{M 2 ) 

(a) 

< -nH{Z\X) + n{I{X-U) -b 5,) + n{H{Z\U) + 5f) 

+ n{I{X-,V\U,Y) + i6,) 

(b) 

< n{I{X; U, Z) + I{X-, V\U, Y) + b') 

= n{I{X-, V, Y) - I{X; Y\U) + /(X; Z\U) + ,5^ 

< n{L + S{), 


if L > I{X;V,Y) - I{X;YI17) + /(X;Z|[/), where (a) 
follows from the memoryless property of the sources, from the 
codebook generation, and from bounding the term J) 

as in Lemma 1, (6) from the Markov chain U—X — Z for some 
<5e > 5be, and (c) from the Markov chain U —V — X — {Y, Z). 

As for an achievable mFAP exponent, we consider the 
adversary who knows m = {mi, m 2 ) and side information 
z" and tries to select a sequence y''{m, z”) that results in the 
estimated key Syn equal to the original key S of the person it 
claims to be. From our achievable scheme, the secret key S is 
chosen from the subbin index of the selected codeword V. 
Thus, the adversary only needs to consider Syn that results 
from sequences L" which are jointly typical with W”. There 
are in total such sequences generated. 

Similarly as in [6], from the binning scheme with uniform 
bin and subbin index assignment, we have that the joint 
probability that a description m is selected and a certain secret 
key s is chosen is equal to a total number of jointly typical 
sequences u" with corresponding indices m and s divided by 
a total number of jointly typical sequences u". That is. 


Pr(M = m, S = s) < 


[ 5 ] 


( 8 ) 


2niIiX-U,V)+2S^) 

Let y( ) denote the decoding function used for estimating 
the secret key message in the achievability scheme. Then 


mFAP = max Prison = S) 
y"(M,Z")Gy^" 

max Pr( 5 (M,y"(M,Z")) =5) 

< V V max Pr(M = = z”, 

g{m,y'^{m,z'^)) = S) 

= VV max Pr(M = TO,S'= g(m,y"(TO,z")))- 

mz^ 

Pr(Z" = z"|M = m,S = g{m, y'^{m, z"))) 

H ^ |-Pr(M = m) • -| 


l^l 


2n{I{X-,U,V)+2Ss) 


< 


V- /Pr(M = m) ■ . 


2n(I(X-U,V)+2S^) 


(c 


,^-u{I{V-,Y\U)-IiV-,Z\U)-S'J 


where (a) follows from the uniform bin and subbin in¬ 
dex assignment in the achievable scheme and the bound 
in (8), {b) follows from the code construction where 
| 5 | = and |Af| = \Mi\\M 2 \ = 

2n{i{x-,v\Y)+55^)^ and (c) follows from the Markov chain 
U -V -Y which results in /(L; Y) > I{V; Y\U). 

That is, we have 

- log > /(L; Y\U) - I{V-, Z\U) -6',>E-6'„ 
n mrAF 












if £: < I{V;Y\U) - I{V;Z\U). 

Converse; Let Ui = Z^~^) and Vi = 

which satisfy U, - V, - X, - 
for all i = as Ui is included in Vi and {Yi,Zi) is 

independent of Vi given Xi due to the memoryless property 
of the side information channel Py,z\x- For achievable 
tuple {R,L,E) € K.+, it follows that 

n(i? + 6n) > H{M) > H{M\Y^) - H{M, 5|X”, F”, F”) 

= H{M, 5|F") - H{S\M, F”) - H{M, S\X^, F", F”) 

(a) 

> /(M,S';X",F"|F’") -ne„ 

(b) " 

> ^ HiX^, XIY) - H{X„ F,|F„ F) - ne„ 

n 

>^/(X,;F|F)-ne„, 

i=l 

where (a) follows from Fano’s inequality H{S\XI, F") < ne„ 
and (b) follows from the definition of Vi and that conditioning 
reduces entropy. 

The information leakage can be bounded as follows. 

n{L + 5n) > /(X”; M, F”) = /(X”; M, S, F”) 

- /(X"; S\M, F”) - /(X”; F”|M) + /(X”; F"|M) 

(a) 

> /(X”; M, F F") - ne„ - /(X"; F”|M) + J(X”; F"|M) 

n 

= ^ iF(X,) - iJ(X,|M, X*-i, F") - H{V\M, F" i) 

+ H{V\M,Y:1„X^) + H{Z,\M,Z^-^) 

-H(Z,\M, F*-\X")-ne„ 

(h) " 

> ^ iT(X,) - H{X,\M, S, X^-\ F", - /(F; X,) 

+ /(F; M, F!^i) + /(F; X,) - /(F; M, - ne„ 

(c) ^ 

> ^ /(X,; M, F Xi) + I{Z,-Xi) 

2=1 

+ /(F; M, F" i) - /(F; M, F" F - ne„ 

n 

Y, HX^-, F, F) - /(F; X,|C/,) + /(F; X)U,) - ne„, 

i=l 

where (a) follows from Fano’s inequality, (b) follows from 
the Markov chains Xi — {M,S,X '‘~^and 
(F,z,) - Xi - (M,F’;i,F*-\X’"\*), (c) follows from 
the Csiszar’s sum identity [12], X]r=i F(F; F”]^) — 

/(Z^; F" ^|M, = 0, {d) follows from the definitions of 

Ui and Vi and the Markov chain Ui — Xi — (F, Zi). 

Lastly, the bound on mFAP exponent n{E — 5n) < 
Sr=i F(F; F|f7i) —liVi, Zi\Ui) can be shown similarly as in 
[6] with some modification. This part of the proof is provided 
in Appendix C. The proof ends with the standard steps for 
single letterization using a time-sharing random variable and 
letting (5„, e„ —0 as n —oo. The cardinality bounds on the 
sets U and V can be proved using the support lemma [12], 
and is shown in Appendix D. ■ 



Fig. 2. Secret key generation for authentication with a privacy constraint. 

C. Binary Example 

To demonstrate the derived tradeoff, let us consider a 
simple binary example of the special case in Remark 2i). Let 
X ^ Bern(l/2), F is an erased version of X with erasure 
probability p, and Z is an erased version of F with erasure 
probability q. The region TZi^x-y-z in Remark 2i) reduces 
to the set of all (i?, L, E) such that 

R > p(l — h{a)), 
i > (1 - 9)(1 -f) +f(1 - Ha)), 

E < q{l-p){l - Ha)), 

for some a € [0,1/2]. The proof is given in Appendix E. 
We can see for example that there is a tradeoff between the 
mFAP exponent and the leakage rate, i.e., in order to increase 
the mFAP exponent, we need to allow some more leakage. 

HI. Secret Key Generation with Privacy 
Constraint 

In this section, we consider a related problem setting 
depicted in Fig. 2 where, instead of maximizing the mFAP 
exponent, we are interested in maximizing the secret key rate 
generated at the enrollment stage as well as protecting the 
secret key from any inference of an adversary who has access 
to the description M and side information Z". This setting 
without the compression rate constraint was studied in [7] 
where the authors characterized inner and outer bounds to the 
leakage-key rate region. Moreover, it is closely related to the 
one-way secret key generation with rate constraint in [13]. 

A. Problem Formulation 

The problem setting follows similarly as that in Sec¬ 
tion II-A, except that the mFAP constraint in (4) is replaced 
by the key rate and key leakage constraints. 

Definition 3: A tuple {R, L, Rs) G is said to be achiev¬ 
able if for any b > 0 and all sufficiently large n there exists a 
code consisting of encoders and a decoder (as in Definition 1) 
such that (l)-(3) hold and 

-H{S) >Rs-d, (9) 

n 

-/(S'; X/, Z”) < L (10) 

n 

The compression-leakage-key rate region 72.2 is the set of all 
achievable tuples. 











B. Result 


Theorem 2: The compression-leakage-key rate region 72.2 
for the problem in Fig. 2 is given by a set of all tuples 
(i?, T, Rs) € such that 

R>I{X-V\Y), (11) 

L > I{X- F, Y) - I{X- Y\U) + I{X- Z\U), (12) 

Rs<I{V-Y\U)-I{V-,Z\U), (13) 

for some joint distributions of the form Px y zPv\xPu\v with 
|W|<|^|+3,|V|<(|^|+3)(|T’|+2).’ ’ 

Remark 3: Although different achievable schemes were 
used, the inner bound in [7] coincides with the compression- 
leakage-key rate region 72-2 where R = H{X). Here we pro¬ 
vide the complete result by establishing a matching converse. 
In addition, the extra compression rate constraint is considered 
where the layered binning scheme is shown to be optimal. 

Remark 4: The regions specified in Theorems 1 and 2 have 
the same form. In particular, the maximum secret key rate in 
Theorem 2 is equal to the maximum mFAP exponent presented 
in Theorem 1. Intuitively, this follows from the fact that 
the coding scheme used to prove Theorem 1 also achieves 
negligible key leakage rate, implying that the adversary has 
no useful knowledge about the key. It can then only guess 
the key from possible values in the set S whose cardinality 
is at least A similar observation for the case without 

adversary’s side information was noted in [6]. 

Proof of Theorem 2: Proofs for the compression rate R 
and leakage rate L remain the same as those of Theorem 1. 
Here we only provide the proof of the secret key rate. 

Achievability: With the same achievable scheme as in the 
proof of Theorem 1, it follows that 

H{S) > H{S\J, M2,S') = HiS, J, M2, s') - H{J, Xh, S') 

> 77(C7”, F”) - H{J) - H{Xl2) - H{S') 

ib) 

> n{I{X- [/, F) - 25f) - n{I{X- U) + 5f) 

- n{I{X- F|(7, Y) + 3^,) - (/(F; Z\U) - 5,) 

> n{I(Y- V\U) - I{Z- V\U) - 5'^) > n{Rs - 5'^), 

if Rs < I{Y\V\U) — I{Z\V\U), where (a) follows since 
(f/",F") are functions of {J, K) = {J, M 2 , S, S') given the 
codebook, and (b) follows from the codebook generation and 
the properties of jointly typical sequences, i.e., < 

The key leakage averaged over all possible codebooks can 
be bounded as follows. 

I{S■M^,M2,Z^)<H{S)-H{S\J,M2,Z^) 

= HiS) - HiS, J, M 2 , Z^) + HiJ, M 2 , Z") 

< HiS) - HiS, J, M 2 , Z”, S') + HiS'\S, J, M 2 , Z^) 

+ HiJ) + HiXh) + HiZ'^lJ) 

§ HiS) - HiU", F”, Z") + ntn + HfJ) 

+ HiXh) + HiZ'^\J) 


< HiS) - n(/(X; U, V) + HiZ\U, V) - 35,) 

-f nCra -f 7 i(J(A; U) 5,) -I- 7i(J(A; F|(7, Y) -f 35,) 

+ niHiZ\U) + 5f) 


where (a) follows since ((/"jF") are functions of (J, 72) = 
iJ,Xl 2 ,S,S') given the codebook, and from the Fano’s 
inequality 77(5"|S', J, M 2 ,2’") < ne„ (this is due to the 
codebook generation in which the size of S' for a given 
iJ,M 2 ,S) is less than therefore with high 

probability S' can be decoded given iS, J, M 2 , Z^)), ib) 
follows from bounding the term i7((7", F", Z") using prop¬ 
erties of jointly typical sequences, i.e., p(u",u",z") < 

2-n{H{Z)+I{X-,U,V\Z)-3S^) _ 2-^iR^PX)+bliZ\U,V)-3S^) 

from the code construction, and from Lemma 1, and (c) from 
the code construction that S' S [1 : 2 ^P^^X\u)-i{z-,v\u)-s^)j^ 
Converse; Ui and F are defined as in the converse proof 
of Theorem 1. For any achievable Rg, it follows that 

niRs - Sn) < HiS) = HiS\M, Z") + J(S; XI, Z”) 

(a) 

< 77(S|M, Z") -f n6n 

(b) 

< Y^\U^) - 7(F; Z,|C/,) + nSn + ne„, 

where (a) follows from the key leakage constraint and ib) 
follows from the steps from (16) to (17). ■ 
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Appendix A 

Converse Prooe of Region 'R.i_x-y-z 

Let Vi = [M, S, which satisfies V-Xi-Yi-Zi 

for all i = For any achievable tuple {R,L,E), it 

follows that 

n{R + 6n) > H{M) 

> H{M\Y^, Z”) - H{M, S\X^, L”, Z”) 

= H{M, S\Y^, Z”) - H{S\XI, F”, F") 

- H(XI,S\X^,Y^,Z^) 

(a) 

> -ne„ 

(b) ^ 

> ^/(X,;F|F)-ne„, 

i=l 

where (a) follows from Fano’s inequality iF(S'|M, F") < ne„ 
and (6) follows from the Markov chain Xi — Yi — Zi, the 
definition of Vi, and that conditioning reduces entropy. 

The information leakage, 

n[L + Sn) 

> /(X"; M, F") = J(X"; F") + J(X”; M|F") 

(a) 

> /(X”; F") + H{M\Z^, F”) - iF(M|X”, F”, F”) 

> /(X"; F”) + iT(M, 5|F”, F”) - ne„ 

-iF(M,5'|X",F”,F”) 

(c) ^ 

> ^ /(X,; F,) + H{X,\Yi) - H{X,\V, F) - ne„, 

i=l 

where (a) follows from the Markov chain M — (X”, F") — 
F", (6) follows from Fano’s inequality, (c) follows from the 
Markov chains Xi — Yi — Zi and the definition of Vi. 

The bound on mFAP exponent follows similarly as in the 
converse proof of Theorem 1, except that the steps from (16) 
to (17) are replaced by 

(a) 

iT(5'|M,F") < H{S\M, Z'^) - H{S\M,Y^) + nen 

= H{S\M, F") - H{S\M, F", F’") + ne„ 

V) ^ 

< ^iT(F|F0-i7(F|F,F,)+ne„, 

i=l 

where (a) from Fano’s inequality, (b) from the Markov chain 
(S, M) — F" — F", and (c) from the definition of F. 

Appendix B 
Proof of Lemma 1 

Let Li be a binary random variable taking value 0 if 
(X”,C7”(J),F"(J,X),F”,F”) e and 1 otherwise. 

Since (X”, [/”(J), F”(J, X), F", F”) G 7^^”’ with high 
probability, we have Pr(£’ = 1) < 5^. It follows that 

iT(F”| J) < iJ(F”|C7”, E) + H{E) 

< Pr(X = 0)i7(F"|C/”, X = 0) 

+ Pr(X = l)iJ(F”|t/”, X = 1) + /i(F) 


< X = 0) + 6,H{ZP + h{S,) 

< H{Z'^\U'^, X = 0) + nSe log |Z| + h{Se) 

= p(M”l^^ = 0)X(F”|C/" = it",X = 0) 

+ n6e log \Z\ + h{S,:) 

< Y. P{u'^\E = 0)\og\P^^Hz\uP\+nSJog\Z\ 

+ h{6,) <n{H{Z\U)+S'J, 

where h{-) is the binary entropy function, and the last inequal¬ 
ity follows from the property of jointly typical set [11] with 
Se, 5' —>■ 0 as e —>• 0, and e —0 as n —cx). 

Appendix C 

Converse Proof of the mFAP Exponent Bound 
Similarly as in [6], let us define the set of secret key 
messages that can be reconstructed from m, i.e., C(m) = {s : 
there exists a sequence y" G F" s.t. y") = s}. Also, 

let C{s, m) = 1 for s G C{m), and 0 otherwise. We have that 
Sn > Pr(5 ^ S)> EmMM = m,s ^ C{m)) = Pr(C' = 
0). An adversary who knows m and z" can choose a sequence 
y" that results in the MAP estimate, i.e., 

s(m, 2 :")=arg max p(s|m, z"), (14) 

sGC(m) 

and achieves 

FAP = Y = S,M = m, F” = z") 

m,z'^ 

p(m, z") max p(s\m, z”) 

s^Clm) 

m,z'^ 

> p(m,zP max p(s, C = llm, z") 

seC(m) 

m,z'^ 

> 'Y p{m, zPp(C = l\m, zP max p(s|m, z", C = 1), 

seC(m) 

m,z^ 

(15) 

where (a) follows from (14). Then for any achievable X, it 
follows that 

n(E-i„)<log(^)<log(X) 

< - log (Pr(c = l)) 

- log ( X! = 1) max p(s|m,z”,C' = 1)) 

sGC(m) 

m,z^ 

(b) 

< -l0g(l - Sn) 

- Y = l)log ( inax p(s|to,z",C = 1)) 

< - log(l - - X] 

m,z^ 

Y Pis\m, z", C = 1) log(p(s|m, z", C = 1)) 

sGC{m) 

= - log(l - Sn) + H{S\M, F", C = 1), 



where (a) follows from (15) and (6) follows from Pr(C = 
1) > 1 — and Jensen’s inequality [14]. 

Continuing the chain of inequalities where 

(1 - 5r^)H{S\M, C = 1) < Pr(C' = l)H{S\M, Z", C = 
1) < H{S\M,Z^), we get 

(1 - 5n) • [n{E - 6n) + log(l - (5„)] 

<H{S\M,Z’^) (16) 

(a) 

< H{S\M, Z^) - H{S\M, r") + nen 

n 

= ^ I{S; Y,\M, Yr+,) - /(5; Z,|M, Z^-^) + ne„ 

n 

^ 7(5, ; y, |M, -/(5, 

+ nCn 

n 

^ I{S; Y,\M, Y:1„Z^-^) - I{S- Z,\M, Y^l^Z^-^) 

+ nCn 

n 

i=l 

where (a) follows from Fano’s inequality, and (5) and (c) from 
the Csiszar’s sum identity X]r=i^+i) ~ 
I{Y^l,;Z,\M,S,Z^-^) = 0 = EtinZ^-^;Y,\M,Y:i,) - 
Zi\M, Z’'~^), and (d) from the definitions Ui = 
and C, 4 (M, 5, F," i, 

Appendix D 

Cardinality Bounds of The Sets U and V in 
Theorem 1 

Consider the expression of TZi in Theorem 1; 

i?>/(X;y|y), 

L > I{X- V, Y) - I(X; Y\U) + I{X-Z\U), 
E<I{V-Y\U)-I{V-Z\U), 

for some U &U,V such that U — V — X — (Y, Z) forms 
a Markov chain. 

We can rewrite some mutual information terms in the 
expression above as 

R > H{X\Y) - H{X, Y\V) + H{Y\V), 

L > H{X) - H{X, Y\V) + H{Y\V) - H{Y\U) + H(Y\X) 
+ H{Z\U)-H(Z\X), 

E < H{Y\U) - H{Y\V) - H{Z\U) + H{Z\V). 

We will show that the random variables U and V may 
be replaced by new ones, satisfying |77| < lA-l + 3, 

|V| < {\X\ + 3)(|T’| + 2), and preserving the terms 

H{X, Y\V), H{Y\V), H{Z\V), and H{Y\U) - H{Z\U). 


First, we bound the cardinality of the set U. Let us define 
the following \X\ + 3 continuous functions of p{v\u), v €V, 

fj{p{v\u)) = ^p(w|u)p(x|u,'!;), j = l,...,\X\-l, 
vev 

fix\{p{v\u)) = H{X,Y\V,U = u) 

= H{X, Y, V\U = u)- H{V\U = u), 
f\x\+i{p{v\u)) = H{Y\V, U = u) 

= H{Y, V\U = u)- H{V\U = u), 
f\x\+ 2 {p{v\u)) = H{Z\V, U = u) 

= H{Z, V\U = u)- H(y\U = u), 
f\x\+ 3 ipiv\u)) = H{Y\U = u)- H{Z\U = u). 

The corresponding averages are 

= Px{,x), j = 1,..., 1^1 - 1, 

u&A 

Y Pix)f\xMv\u)) = H(X, Y, V\U) - H{V\U), 

uGU 

Y Pi^)f\^\+Mv\u)) = H(Y, V\U) - H{V\U), 

uGU 

Y Pi^)f\^\+2iPiv\u)) = H{Z, V\U) - H{V\U), 

u&A 

X1^’(“)/|'V|+3(P(^I“)) =PiY\U) -H{Z\U). 

u^U 

According to the support lemma [12], we can deduce that 
there exists a new random variable U' jointly distributed with 
{X,Y, Z,V) whose alphabet size is \U'\ = \X\ + 3, and 
numbers > 0 with cti = 1 that satisfy 

|A|+3 

Y ^^fjiPv\u'iv\i)) = Px{x), j = 1,..., l-Tl - 1, 

lA'i+a 

E a^f\x\{Pv\U'{v\^))=HiX,Y,V\U')-H{V\U'), 

lA'I+S 

E c^J\x\+i{Pv\u'{v\i)) = H{Y,V\U') - H{V\U'), 

lA'I+S 

E ^J\x\+ 2 {Pv\u'{v\i)) = H{Z, V\U') - H{V\U'), 
lA'I+S 

E c^J\x\+3iPv\u'{v\i)) = H{Y\U') - H{Z\U'). 

i=l 

Note that we have 

H{X,Y,V\U')- H{V\U') 

= H{X,Y,V\U) - H[V\U) 

^^H{X,Y\V), 

where (a) follows from the Markov chain U — V — 
X — (Y,Z). Similarly, from the Markov chain U — V — 
X - {Y,Z), we have that H{Y,V\U') - H[V\U') = 
H{Y,V\U) - H[V\U) = H{Y\V), and H{Z,V\U') - 


H{V\U') = H{Z,V\U) - H{V\U) = H{Z\V). Since 
Px{x) is preserved, Px,Y,z{x,yT z) is also preserved. Thus, 
H{X\Y), H(Y\X), H{Z\X) are preserved. 

Next we bound the cardinality of the set V. For each u' € 
U', we define the following IT”! + 2 continuous functions of 
p{x\u', v), X € X, 

fj{pix\u',v)) =p{x\u',v), j = 1,..., IT”! - 1, 
f\x\ip{x\u\v)) = H{X,Y\U' = u\V = v), 
fixi+i(p(xiu',v)) = iJ(r|{7' = u\V = v), 
fixi+ 2 (p(xiu',v)) = H{Z\U' =u',V = v). 

Similarly to the previous part in bounding \U\, there exists 
a new random variable V'\{U' = u'} ^ p{v'\u') such that 
|V'| = \X\ + 2 and p{x\u'), H{X, Y\U' = u', V), H{Y\U' = 
u',V), and P[{Z\U' = u',V) are preserved. 

By setting V" = {V',U') where V" = V' x Z//', we have 
that U' — V" — X — (Y, Z) forms a Markov chain. 

Furthermore, we have the following preservations by V", 

H{X,Y\V") 

= H{X,Y\V',U') 

H{X,Y\V,U') 

= H{X,Y\V,U) 

^^H{X,Y\V), 

where (a) follows from preservation by V', (6) follows from 
preservation by [/', and (c) follows from the Markov chain 
U — V — X — {Y, Z). Similarly, from preservation by U' and 
V, and the Markov chain U — V — X — {Y, Z), we have 
that H(Y\V") = H{Y\V',U') = H(Y\V) and H{Z\V") = 
H{Z\V',U') = H{Z\V). 

Therefore, we have shown that U GU and V G V may be 
replaced by U' G W and V" G V" satisfying 

|W'| = |T’|+3, 

|V"| = |W'||V'| = (|T’|+3)(|T-| + 2), 

and preserving the terms P[{X,Y\V)^H{Y\V)^H{Z\V), and 
H{Y\U) - H{Z\U). 


where (a) follows since Y = e with probability p, otherwise 
Y = X, and (b) follows from the choice of V, 

L> I(X;Z) + I(X;VIY) 

l-H(XlZ)+p-(l-h(a)) 

= 1 - ((1 -f)9+f) + F- (1 - h(a)) 

= (1 - q)(l-p)+p- (1 - h(a)), 

where (a) follows from the bound on i? and (b) follows since 
Z = e with probability (1 — p)q + p, otherwise Z = X. 

E < I{Y;V\Z) 

I{X;V\Z) - I{X;V\Y) 

= ((1 -f)9+f) ■ liX-V) - p ■ {1 - h{a)) 

= 9(1 - f )(1 - 

where (a) follows from the Markov chain V — X — Y — Z 
and (b) follows since Z = e with probability (1 — p')q + p, 
otherwise Z = X. 

Converse: Let {R, L, E) be an achievable tuple. We now 
prove that there exist a G [0,1/2] satisfying the inequalities 
shown in the achievability above. From TZi^x-y-z, we have 
the following bound on the compression rate R. 

R > I{X]V\Y) 

= p-I{X-V) 

= p-{l-H{X\V)). 

Since 0 < E[{X\V) < H{X) = 1, and h{-) is a continuous 
one-to-one mapping from [0,1/2] to [0,1], there exists a G 
[0,1/2] s.t. E[{X\V) = h{a), and thus R > p ■ {1 — h(a)). 
The bounds on L and E readily follow from E[{X\V) = h{oi). 


Appendix E 

Proof of the Compression-eeakage-mFAP 
Exponent Region in the Binary Example 

Achievability: Let V be an output of a BSC(a) with input 
X. Then it follows from the expression of TZi x-y-z that 

R > IiX;V\Y) 

^^p-iHiX)-HiX\V)) 

= p ■ {1 - h{a)), 


